Skip Navigation

[Discussion] Protecting ourselves from bot instances

If you look at the top ~20 servers on fedidb, they are very clearly botswarms. Either intentionally set up that way, or accidentally due to turning off protections and not deleting users.

You can tell this because they have 70,000 registered users, but only 10 of them are active.

I believe we should pre-emptively defederate with botswarms before they're turned on. If the instance owners clear out the bots on their instances (like lemmy.ninja did) then they should be immediately refederated.

I don't know about you guys, but I don't want this place to be drowned in spam as soon as they're activated.

23
23 comments
  • Yup, fully agree.

  • I also agree that lemmy instances should defederate from botswarm servers. If they can clean themselves or prove they are not botswarms then refederate. But there is little to no benefit from allowing them to run amok.

    It's not even necessarily bot content that is an issue but bot swarms would dictate what content everyone sees through artificially altering the votes on content posted. It's one of the reasons people have been fleeing reddit and we dont want that here either.

  • We did vote for using an automated tool, even, to protect against such instances: https://sh.itjust.works/post/338826

    • Right as that vote was happening, we had new mods appointed and a new system for voting that involved a mandatory discussion step (which I 100% agree with).

      Starting this with the new process and rules I felt was important as this is an important issue.

  • I've expressed concerns about the potential effects of a bot-swarm before, and have had a few mildly constructive conversations about it. Here is a thread where I lay out a few of my concerns on the matter, but I'll copy the relevant text here for easier discovery.


    Me:

    I’m all for bots that are used as tools for the community, the invidious one seems pretty great too. A bit concerned about what the potential “bot army” on some of these instances will be used for going forward though.

    @[email protected]

    There is an option to hide bot accounts in your account settings. This is also why all bots must be tagged as such so people can choose if they want to see them or not, that’s the agreement with allowing bots on Lemmy for most instances.

    Me:

    I guess with that in mind, that brings different concerns into view for me. I’m wondering what proportion of this wave of bots have checked that option identifying themselves as such? If they’re good bots they will of course, but I’ve also read through posts of instance operators claiming they’ve gotten thousands of bot signups in hours, which doesn’t seem like good bot behavior to me. Are they likely to identify themselves as bots? Even if they did, would it matter? One example off the cuff, I should be able filter bots from my feed and comments as you say, but what’s stopping them from upvoting / downvoting a specific group of user’s submissions and comments to the top of my hot feed, or upvoting / downvoting by keyword? If that happens en-masse you wouldn’t really be able to say that posts and comments are being ranked or discovered organically based on merit. While this sort of thing I suspect happens often elsewhere, it can serve to control the flow of information based on a single or small group of people’s will(s).


    That is just one of the more insidious possibilities that a bot-swarm could be used for. Spamming, scamming, brigading, and poisoning discussions en-masse are all possible with even a moderately sized number of bots with the technical ability to put them to use on a platform of this size.

    I've also seen announcement posts and the resulting post in The Agora covering the use of one tool (The Lemmy Overseer) that can help to automate the de/refederation of likely bot-infested instances. While I don't think the tool is going to deter particularly motivated actors, it should take care of the "low-hanging fruit" that is the tens of thousands of suspected bot accounts that have had no engagement on the platform since account creation. Instance owners take on a lot of responsibility when federating with others, just one of which is being responsible for securing their instance against automated signups. Once they take care of their bot problem they can become refederated automatically.

    TLDR: I think we should defederate botted instances preemptively. Automatic refederation is possible, and a Matrix channel for instance operators exists for discussing refederation as a fallback measure.

  • Question: what is the practical effect of remaining federated with an active bot swarm? Is it just that I will see bot posts in my "all" page? Or that bots will be able to post and comment in communities here and those that we are federated with?

    Sorry, I'm new to fediverse, so I'm not super familiar

    • There are 2 downsides, 1 small and 1 larger:

      Small one: the few real users there will be defederated through no fault of their own

      Larger downside: the admins of that instance will not see why they're defederated (technical limitation). They may not know why, or even know that they have a large botswarm on their instance

      I feel that these downsides are worth it though.

      • Sure, but I guess my question is what are the risks if nothing happens? In your post you say,

        I don’t want this place to be drowned in spam as soon as they’re activated.

        But what does this actually practically mean for me? Will the spam show up in my "all" page, or is the spam in the form of comments from bots on communities in sh.itjust.works, or something else? I'm not familiar enough with Lemmy, I feel, to understand the risks that a bot swarm on a different server poses to other servers

  • Aye, the only reason we haven't seen any damage yet because they haven't used against us yet. I don't know any positive reason for why someone would make 20k accounts on an instance. Those instances should be refederated once they solve that issue.

  • I generally agree, but it depends on the criteria used to identify suspected botswarm servers. I'd be okay with something simple like calculating an instance's (monthly active users) / (total users) = X and then defederate if X is below some very small value.

    The automated tool mentioned by @[email protected] sounds interesting in concept but can't dig into the details at the moment.

  • Agree. Defederate

  • Yay

  • I'm not very well versed in how all of this works or what the consequences of a defederation are (besides, you know, not getting to see its content anymore). But an instance with such an odd composition of users and active users should be watched with suspicion. I don't know if immediate defederation is the best solution, but it might be a good idea to have some kind of policy ready should suspicions be proven to be true?

  • Test 2

23 comments